Merge pull request #21 from alivx/ali_JanFix

General improvement  ⚡️

Author: alivx

README.md

@@ -138,10 +138,14 @@ ansible-playbook -i host run.yaml -t section2 -t 6.1.1
 * Note:
 When run an individual task be sure from the dependencies between tasks, for example, if you run tag **4.1.1.2 Ensure auditd service is enabled** before running **4.1.1.1 Ensure auditd is installed** you will get an error at the run time.
 
-Points with ~~Tilda~~ not implemented yet, currently I'm working on it.
-
-
+* Points with ~~Tilda~~ not implemented yet, currently I'm working on it.
+* make sure to select one time service, for me I use ntp, but you can use other service such as [`systemd-timesyncd`,`ntp`,`chrony`] under the settings `defaults/main.yaml`
+> Testing
+> 11/1/2020 Tested on AWS EC2 ubuntu 20.04 LTS [Pass]
+> 11/1/2020 Tested on local Ubuntu 20.04 LTS server [Pass]
 
+* Before run make sure to update user list under `defaults/main.yaml` on `list_of_os_users` + `allowed_users`
+* `Make` sure to set the right subnet under `defaults/main.yaml` on `allowd_hosts`
 
 _________________
 
@@ -200,9 +204,9 @@ _________________
 
 **1.5 Secure Boot Settings**
 
-  - ~~1.5.1 Ensure bootloader password is set (Automated)~~
+  - 1.5.1 Ensure bootloader password is set (Automated)
   - 1.5.2 Ensure permissions on bootloader config are configured - (Automated)
-  - ~~1.5.3 Ensure authentication required for single user mode (Automated)~~
+  - 1.5.3 Ensure authentication required for single user mode (Automated)
 
 **1.6 Additional Process Hardening**
   - 1.6.1 Ensure XD/NX support is enabled (Automated)
@@ -235,8 +239,8 @@ _________________
   - 2.2 Special Purpose Services
   - 2.2.1 Time Synchronization
   - 2.2.1.1 Ensure time synchronization is in use (Automated)
-  - ~~2.2.1.2 Ensure systemd-timesyncd is configured (Manual)~~
-  - ~~2.2.1.3 Ensure chrony is configured (Automated)~~
+  - 2.2.1.2 Ensure systemd-timesyncd is configured (Manual)
+  - 2.2.1.3 Ensure chrony is configured (Automated)
   - 2.2.1.4 Ensure ntp is configured (Automated)
   - 2.2.2 Ensure X Window System is not installed (Automated)
   - 2.2.3 Ensure Avahi Server is not installed (Automated)

defaults/main.yml

@@ -19,6 +19,18 @@ set_root_password: yes
 root_password: r00tP4ssw0rd
 
 # Section 2 Settings
+
+#Setting for systemd-timesyncd
+enable_systemdtimesyncd: no #If you enable this make sure to disable NTP below, only one time service must be run in the server
+timesync_timezone: Etc/UTC
+timesync_fallback_ntp_hosts:
+  - 0.pool.ntp.org
+  - 1.pool.ntp.org
+  - 2.pool.ntp.org
+  - 3.pool.ntp.org
+
+#Setting for NTP
+enableNTP: yes
 time_synchronization_package_name: ntp
 time_synchronization_servers:
   - uri: "time1.google.com"
@@ -29,6 +41,19 @@ time_synchronization_servers:
     config: "iburst"
   - uri: "time4.google.com"
     config: "iburst"
+
+# Setting for chrony
+chronyEnable: no
+chrony_driftfile: /var/lib/chrony/chrony.drift
+chronyservers_preferred: []
+chronyservers:
+  - 0.pool.ntp.org
+  - 1.pool.ntp.org
+  - 2.pool.ntp.org
+  - 3.pool.ntp.org
+chrony_keys: /etc/chrony/chrony.keys
+chrony_log_dir: /var/log/chrony
+
 web_server_name: nginx
 remove_HTTPserver: no
 remove_xinetd: yes
@@ -87,7 +112,7 @@ ssh_MACs: "[email protected],[email protected],hmac-sha2
 ## 5.2.14 Ensure only strong Key Exchange algorithms are used
 ssh_key_algorithms: "curve25519-sha256,[email protected],diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256"
 ## 5.2.17 Ensure SSH access is limited
-allowed_users: ali saleh baker root #Put None or list of users space between each user
+allowed_users: ubuntu root #Put None or list of users space between each user
 allowed_groups: None
 deny_users: None
 deny_groups: None
@@ -101,7 +126,7 @@ pass_warn_age: 7
 pass_min_days: 1
 ## 5.4.1.1 Ensure password expiration is 365 days or less
 list_of_os_users:
-  - ali
+  - ubuntu
 ## 5.4.1.4 Ensure inactive password lock is 30 days or less
 ##Note: A value of -1 would disable this setting
 account_inactive: 30
@@ -111,7 +136,7 @@ shell_timeout_sec: 900
 # Section 6
 withoutOwnerFileDirOwner: root
 withoutGroupFilesDirGroup: root
-outputfiles: /home/ali/ #Output dir of some command
+outputfiles: /root/ #Output dir of some command
 disable_autofs: true
 disable_usb: true
 install_apparmor: true

files/templates/chrony.conf.j2

@@ -0,0 +1,59 @@
+# {{ ansible_managed }}
+
+driftfile {{ chrony_driftfile }}
+
+{% for server in chronyservers_preferred %}
+{% if server is search('pool') %}
+pool {{ server }} iburst prefer
+{% else %}
+server {{ server }} iburst prefer
+{% endif %}
+{% endfor %}
+{% for server in chronyservers %}
+{% if server is search('pool') %}
+pool {{ server }} iburst
+{% else %}
+server {{ server }} iburst
+{% endif %}
+{% endfor %}
+
+# Ignore stratum in source selection.
+stratumweight 0
+
+# Record the rate at which the system clock gains/losses time.
+driftfile {{ chrony_driftfile }}
+
+# Enable kernel RTC synchronization.
+rtcsync
+
+# This directive tells 'chronyd' to parse the 'adjtime' file to find out if the
+# real-time clock keeps local time or UTC. It overrides the 'rtconutc' directive.
+hwclockfile /etc/adjtime
+
+# In first three updates step the system clock instead of slew
+# if the adjustment is larger than 10 seconds.
+makestep 10 3
+
+# Stop bad estimates upsetting machine clock.
+maxupdateskew 100.0
+
+# Allow NTP client access from local network.
+#allow 192.168/16
+
+# Listen for commands only on localhost.
+bindcmdaddress 127.0.0.1
+bindcmdaddress ::1
+
+# Serve time even if not synchronized to any NTP server.
+#local stratum 10
+
+keyfile {{ chrony_keys }}
+
+# Disable logging of client accesses.
+noclientlog
+
+# Send a message to syslog if a clock adjustment is larger than 0.5 seconds.
+logchange 0.5
+
+logdir {{ chrony_log_dir }}
+#log measurements statistics tracking

files/templates/greeter.dconf-defaults.j2

@@ -1,3 +1,4 @@
+# {{ ansible_managed }}
 # These are the options for the greeter session that can be set 
 # through GSettings. Any GSettings setting that is used by the 
 # greeter session can be set here.

files/templates/ntp.conf.j2

@@ -1,3 +1,4 @@
+# {{ ansible_managed }}
 # /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
 
 driftfile /var/lib/ntp/ntp.drift

files/templates/timesyncd.conf.j2

@@ -0,0 +1,4 @@
+# {{ ansible_managed }}
+[Time]
+NTP={{ timesync_ntp_hosts | default("") | join(" ") }}
+FallbackNTP={{ timesync_fallback_ntp_hosts | join(" ") }}

handlers/main.yml

@@ -22,3 +22,11 @@
   service:
     name: rsyslog
     state: restarted
+- name: RestartChronyservice
+  service:
+    name: "chrony"
+    state: restarted
+- name:  reloadTimesyncd
+  service:
+    name:  systemd-timesyncd
+    state: restarted

tasks/section_1_Initial_Setup.yaml

@@ -748,35 +748,35 @@
 # overridden by the user.
 - name: 1.6.4 Ensure core dumps are restricted
   block:
-    - name: 1.6.4 Ensure core dumps are restricted
+    - name: 1.6.4 Ensure core dumps are restricted | sysctl
       sysctl:
         name: fs.suid_dumpable
         value: "0"
         state: present
         reload: true
         sysctl_set: true
         ignoreerrors: true
-    - name: 1.6.4 Ensure core dumps are restricted
+    - name: 1.6.4 Ensure core dumps are restricted | limits.conf
       lineinfile:
         dest: /etc/security/limits.conf
         line: "*                hard    core            0"
         regexp: '(^#)?\*\s+hard\s+core\s+[0-9]+'
         state: present
         create: true
         insertbefore: "# End of file"
-    - name: 1.6.4 Ensure core dumps are restricted
+    - name: 1.6.4 Ensure core dumps are restricted | apt
       apt:
         name: systemd-coredump
         state: present
-    - name: 1.6.4 Ensure core dumps are restricted
+    - name: 1.6.4 Ensure core dumps are restricted | coredump.conf
       lineinfile:
         dest: /etc/systemd/coredump.conf
         line: "Storage=none"
         regexp: '(^#)?\s*Storage\s*='
         state: present
         create: true
         insertbefore: "# End of file"
-    - name: 1.6.4 Ensure core dumps are restricted
+    - name: 1.6.4 Ensure core dumps are restricted | coredump.conf
       lineinfile:
         dest: /etc/systemd/coredump.conf
         line: "ProcessSizeMax=0"
@@ -824,7 +824,6 @@
         dest: /etc/default/grub
         regexp: '^(GRUB_CMDLINE_LINUX=(?!.*apparmor)\"[^\"]*)(\".*)'
         replace: '\1 apparmor=1 security=apparmor\2'
-        follow: true
       register: output_1_7_1_2
     - name: 1.7.1.2 Ensure AppArmor is enabled in the bootloader configuration | reload
       shell: |

tasks/section_2_Services.yaml

@@ -58,6 +58,8 @@
         name: "ntp"
         state: started
         enabled: true
+  when: "{{enableNTP}}"
+
   tags:
     - section2
     - level_1_server
@@ -72,17 +74,54 @@
 # This recommendation only applies if timesyncd is in use on the system
 # Only one time synchronization method should be in use on the system
 - name: 2.2.1.2 Ensure systemd-timesyncd is configured
-  debug:
-    msg: Skip this, since we are using ntp
+  block:
+    - name: 2.2.1.2 Ensure systemd-timesyncd is configured | install systemd-timesyncd
+      apt:
+         name: systemd-timesyncd
+         state: present
+    - name: 2.2.1.2 Ensure systemd-timesyncd is configured | set timezone
+      timezone:
+        name: "{{ timesync_timezone }}"
+    - name: 2.2.1.2 Ensure systemd-timesyncd is configured | Configure systemd-timesyncd
+      template:
+        src:  files/templates/timesyncd.conf.j2
+        dest: /etc/systemd/timesyncd.conf
+        mode: 0644
+        owner: root
+        group: root
+      notify: reloadTimesyncd
+    - name: 2.2.1.2 Ensure systemd-timesyncd is configured | Start and enable systemd-timesyncd
+      service:
+        name: systemd-timesyncd.service
+        enabled: yes
+        state: started
+  when: "{{enable_systemdtimesyncd}} == True"
   tags:
     - section2
     - level_1_server
     - level_1_workstation
     - 2.2.1.2
 # 2.2.1.3 Ensure chrony is configured
 - name: 2.2.1.3 Ensure chrony is configured
-  debug:
-    msg: Skip this, since we are using ntp
+  block:
+    - name: 2.2.1.3 Ensure chrony is configured | Install Chrony
+      apt:
+        name: "chrony"
+        state: present
+    - name: 2.2.1.3 Ensure chrony is configured | Start Chrony service
+      service:
+        name: "chrony"
+        state: started
+        enabled: yes
+    - name: 2.2.1.3 Ensure chrony is configured | Generate configuration
+      template:
+        src: files/templates/chrony.conf.j2
+        dest: "/etc/chrony/chrony.conf"
+        owner: root
+        group: root
+        mode: 0644
+      notify: RestartChronyservice
+  when: "{{chronyEnable}} == True"
   tags:
     - section2
     - level_1_server
@@ -452,9 +491,18 @@
     msg: >
       Run the following command:
       $ lsof -i -P -n | grep -v "(ESTABLISHED)"
-      Review the output to ensure that all services listed are required on the system. If a listed
-      service is not required, remove the package containing the service. If the package
-      containing a non-essential service is required, stop and mask the non-essential service.
+        Review the output to ensure that all services listed are required on the system. If a listed
+        service is not required, remove the package containing the service. If the package
+        containing a non-essential service is required, stop and mask the non-essential service.
+        Code Meaning 
+        S File size differs. 
+        M File mode differs (includes permissions and file type). 
+        5 The MD5 checksum differs. 
+        D The major and minor version numbers differ on a device file. 
+        L A mismatch occurs in a link. 
+        U The file ownership differs. 
+        G The file group owner differs. 
+        T The file time (mtime) differs.
   tags:
     - section2
     - level_1_server